Overview
This course aims to help learners understand the strengths and weaknesses of Static Analysis Security Testing (SAST) tools, illustrating how they trace code for vulnerabilities. By the end of the course, students will be able to identify out-of-the-box rules for commercial and open-source SAST tools, write custom rules for tools like PMD, and integrate SAST technologies into existing build and deployment pipelines. The teaching method includes explaining concepts, demonstrating tool functionalities, and providing guidance on customization and integration. This course is intended for enterprise application security teams looking to enhance their security programs by effectively utilizing SAST tools.
Syllabus
Introduction
Why do we need tools
Static Analysis
Assumptions
Workflow
Java Workflow
Framework Analysis
Pattern Matching
Data Flow Analysis
Benefits of Analysis
Why does Static Analysis take so long
Postprocessing
PMD
PMD Rule
PMD Designer
Writing the Rule
Taught by
LASCON